The route to reversing my router

I have been dabbling in reverse engineering a bit lately trying to get progressively better. While updating my router and attempting to configure some setting I figured why not attempt to reverse the firmware. Keep in mind I’m pretty new to reversing so I will include the roads blocks I hit along my journey.



Router type: ASUS RT-AC53U

Firmware: Version

Description: Dual-band wireless-AC1200 router

Filetype: .zip extracted into .trx





I started by downloading the firmware on the ASUS website which was not to difficult to find:


Static File Analysis

Once I downloaded the software I simply double clicked it and it extracted into a .trx file. I was instantly pretty baffled by the file extension that I had never seen before so I ran the file command on it:

sneakerhax$ file RT-AC53U_3.0.0.4_376_3754-g5ef7c1f.trx
RT-AC53U_3.0.0.4_376_3754-g5ef7c1f.trx: data

This still did not reveal what I wanted to know so I tried running xxd on it to look for the magic bytes:

xxd -l 4 RT-AC53U_3.0.0.4_376_3754-g5ef7c1f.trx 0000000: 4844 5230 HDR0

I searched for HDR0 and was able to find some information on the openwrt website which started to clear things up. I also ran strings and hexdump which are too long to paste in this article but are good to perform during static analysis. Now I knew I had to dump the contents of the firmware image.

Extracting and Analyzing

I used binwalk to take an intial look at the file:

sneakerhax$ binwalk RT-AC53U_3.0.0.4_376_3754-g5ef7c1f.trx 

0             0x0             TRX firmware header, little endian, image size: 26750976 bytes, CRC32: 0x154FEC57, flags: 0x0, version: 1, header size: 28 bytes, loader offset: 0x1C, linux kernel offset: 0x136078, rootfs offset: 0x0
28            0x1C            LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 3482336 bytes
1269880       0x136078        Squashfs filesystem, little endian, non-standard signature, version 3.0, size: 25475764 bytes, 1420 inodes, blocksize: 65536 bytes, created: 2015-01-10 15:52:29

Now I was starting to get somewhere. I needed to extract the files still that where inside:

binwalk -Mre RT-AC53U_3.0.0.4_376_3754-g5ef7c1f.trx
Output can be found here

This worked to extract the files and I had a ton of stuff to look at. I started analyzing the output. I thought it might be a good idea to search for “version” throughout the binwalk analysis and found some interesting findings. I was attempting to find the linux kernel version:

  • POSIX tar archive (GNU), owner user name: “ter”(Username found)
  • ELF, 32-bit LSB executable, MIPS, version 1 (SYSV)(References to MIPS)
  • Found references to used software(Squid, ftp, etc)

I also searched for kernel and found some other interesting findings:

  • Packages that were being used
  • version?)

***Work in progress***



Post navigation